Full disk encryption



  • Corporate IT in my company is rolling out full disk encryption for all laptops (MacAfee, apparently). While it does make (some degree of) sense for managers and sales and the like, I am worried about the impact it might have on devs such as me. Of course, we are just a handful of lowly employees so no one bothered to even answer to my concerns when I raised them a few months ago (when the program was initially announced).

    So I turn to you for your opinion: is it likely to totally screw up my compilation time (Visual, C++) and other activities that are normal for devs but not for other users (i.e. I don't care whether editing a Word doc will be affected)?

    (Edit: I forgot to mention, in case that matters, my laptop does not have an SSD)

    Also, I'd like to run a simple before/after comparison to see the impact on compilation (and potentially send a "fuck you" to IT later...). I'm planning on taking my current sandbox, clean it, reboot, compile from scratch, then do the same test after encryption. Any advice here?



  • @remi said in Full disk encryption:

    So I turn to you for your opinion: is it likely to totally screw up my compilation time (Visual, C++) and other activities that are normal for devs but not for other users (i.e. I don't care whether editing a Word doc will be affected)?

    I didn't notice any difference in compilation times after they applied full disk encryption. Or at anything else, encryption is pretty lightweight.


  • Grade A Premium Asshole

    @remi said in Full disk encryption:

    Corporate IT in my company is rolling out full disk encryption for all laptops (MacAfee, apparently).

    Do you have any idea why they are not using the same feature that is built in to Windows? Using McAfee anything is a :wtf: in and of itself.



  • @Polygeekery said in Full disk encryption:

    Do you have any idea why they are not using the same feature that is built in to Windows? Using McAfee anything is a :wtf: in and of itself.

    Almost certainly because they already have other McAfee products deployed and they can verify compliance in ePO (one central place). :shrug:


  • Grade A Premium Asshole

    @heterodox said in Full disk encryption:

    Almost certainly because they already have other McAfee products deployed

    You're not helping their case.



  • @Polygeekery And yet that's the answer I was going to make. See my recent post in the status thread about deleting taking hours, probably due to McAfee fuckery.

    Unfortunately given how (un)responsive corporate IT is when you try and point out any potential issue, I don't even have the energy to try asking them why.

    I know it's a lost battle, all I can do is delay a bit when my laptop will be encrypted (the official deadline is the end of the month!). But I want to document it a bit so that if encryption turns out to be too costly, I can later post on the internal forum something along the line of "compilation is now x% slower, corporate IT has just cost me x% of my productivity" (I know, I'm not always compiling, but that's the idea).

    Now, the first feedback from other users (non-devs, but who do more than just editing Word docs) is the same as what @fbmac said, i.e. close to no impact. I hope it will be the same for me.



  • @Polygeekery said in Full disk encryption:

    Do you have any idea why they are not using the same feature that is built in to Windows?

    Btw and out of curiosity, which version of Windows are you talking about? We're running 7 on all computers, so if it's more recent than that, that wouldn't be an option...


  • Grade A Premium Asshole

    @remi Bitlocker


  • SockDev

    @remi said in Full disk encryption:

    @Polygeekery said in Full disk encryption:

    Do you have any idea why they are not using the same feature that is built in to Windows?

    Btw and out of curiosity, which version of Windows are you talking about? We're running 7 on all computers, so if it's more recent than that, that wouldn't be an option...

    bitlocker is what you want. it's available on windows 7 if you have the right version of windows (i thiiiiiiink it's pro and up, but it might be higher.)


  • SockDev

    @accalia said in Full disk encryption:

    i thiiiiiiink it's pro and up, but it might be higher

    I'm pretty sure it's available in Pro.



  • @remi said in Full disk encryption:

    @Polygeekery And yet that's the answer I was going to make. See my recent post in the status thread about deleting taking hours, probably due to McAfee fuckery.

    Unfortunately given how (un)responsive corporate IT is when you try and point out any potential issue, I don't even have the energy to try asking them why.

    I know it's a lost battle, all I can do is delay a bit when my laptop will be encrypted (the official deadline is the end of the month!). But I want to document it a bit so that if encryption turns out to be too costly, I can later post on the internal forum something along the line of "compilation is now x% slower, corporate IT has just cost me x% of my productivity" (I know, I'm not always compiling, but that's the idea).

    Now, the first feedback from other users (non-devs, but who do more than just editing Word docs) is the same as what @fbmac said, i.e. close to no impact. I hope it will be the same for me.

    We use McAfee Endpoint Encryption on Windows laptops. No noticeable slowdown for anything.



  • @remi If your CPU was made in the last 5 years, then most likely not. They have hardware AES which is super fast compared to HDD speed.

    Also, all modern SSDs have built in hardware encryption, and it's possible that McAfee just uses that. So just get a SSD.



  • @remi said in Full disk encryption:

    Corporate IT in my company is rolling out full disk encryption for all laptops (MacAfee, apparently). While it does make (some degree of) sense for managers and sales and the like, I am worried about the impact it might have on devs such as me. Of course, we are just a handful of lowly employees so no one bothered to even answer to my concerns when I raised them a few months ago (when the program was initially announced).

    So I turn to you for your opinion: is it likely to totally screw up my compilation time (Visual, C++) and other activities that are normal for devs but not for other users (i.e. I don't care whether editing a Word doc will be affected)?

    (Edit: I forgot to mention, in case that matters, my laptop does not have an SSD)

    Also, I'd like to run a simple before/after comparison to see the impact on compilation (and potentially send a "fuck you" to IT later...). I'm planning on taking my current sandbox, clean it, reboot, compile from scratch, then do the same test after encryption. Any advice here?

    I expect little impact as long as your non-SSD have big enough disk cache, or you don't have GB-sized projects.

    In one of my ex-company we have 1.5GB sized source code VB.NET project to compile, it compiles slow as snail and often greet us with "Out of memory" exception after 10+minutes, when I have to reboot and compile it fresh and it'll likely be okay this time.

    I'd imagine in such extreme case adding encryption will have noticeable impact to work efficiency.



  • @RaceProUK said in Full disk encryption:

    @accalia said in Full disk encryption:

    i thiiiiiiink it's pro and up, but it might be higher

    I'm pretty sure it's available in Pro.

    Pro for 8 & 10. Ultimate or Enterprise for 7.


  • Grade A Premium Asshole

    @loopback0 you're right. I always thought it was available on Pro. TIL



  • @cheong said in Full disk encryption:

    you don't have GB-sized projects.

    I just checked, the source code itself (just .h/.cpp, nothing else) is about 400 MB. So not GB-sized, but not a few lines of code either. My sandbox is currently 25 GB but it includes bits in release/debug, probably some old versions of some libs and other cruft. But Visual has never complained about it being too big.

    @anonymous234 said in Full disk encryption:

    So just get a SSD.

    I wish that was so easy. It's corporate IT. And IT helpdesk. And I have a non-standard laptop (because the standard ones are for Word/Outlook, duh!). And it would be capital expenditure. I already had to spend almost half-an-hour with someone from finance just to get one software license renewed, I can't imagine what it would be to actually order a physical item.

    Which brings back a lovely anecdote about IT security. I first got a standard laptop (while the correct one was being ordered) and when I went to the helpdesk to get it, I got a 5 min lecture on how I should always put on the screen protector (you know, the film that makes it impossible to show my coworkers what I'm working on) and so on. OK, I get it. Then a couple of weeks later, I get the new laptop. So when I get it from the helpdesk, I expect the same lecture. When it doesn't happen, I couldn't resist and asked them about a screen protector for my new laptop. "Oh, no, we don't have any protectors for this size of screen, so you'll have to do without one shrug". Ooo-kaay... I guess confidentiality and security is only an issue for managers, not for actual devs that, you know, do actual work.


  • area_deu

    @remi said in Full disk encryption:

    I guess confidentiality and security is only an issue for managers, not for actual devs that, you know, do actual work.

    No, because you see, nobody understands what you developers do anyway. So if anybody were to look over your shoulder, they wouldn't recognize any confidential information anyway. I mean all you're doing is just typing weird nonsense stuff in strange colors, amiright?



  • @Akko The sad thing is that while I was typing my previous message, that is exactly the thought I had.

    (and also, quite realistically, I can imagine that a competitor glimpsing sales number on a computer in e.g. an airport could see some interesting information, but a few lines of code are unlikely to be as immediately sensitive -- it might show which libs are used but it won't tell much about the algorithms or data structures, which are the real interesting bits)


  • area_deu

    @remi said in Full disk encryption:

    (and also, quite realistically, I can imagine that a competitor glimpsing sales number on a computer in e.g. an airport could see some interesting information, but a few lines of code are unlikely to be as immediately sensitive -- it might show which libs are used but it won't tell much about the algorithms or data structures, which are the real interesting bits)

    That's probably true. I mean, most of the time I'm not sure what I'm doing at a specific part of code, so how could anybody else just from a glimpse XD



  • TR:wtf: is that they care about shit like screen protectors but have made it to 2017 without disk encryption.
    I don't know how you guys test your stuff but our developers always have at least some kind of excerpt of the production databases lying around as test data. Otherwise you never know if your generated test data has the same skews and other peculiarities as the real data. You really don't want to leak those just because someone snatched your bag on the train. And unless you have all your source in public Github repos anyway there's probably more the company wouldn't want to see sold to the competition on there …



  • @LaoC said in Full disk encryption:

    I don't know how you guys test your stuff but our developers always have at least some kind of excerpt of the production databases lying around as test data. Otherwise you never know if your generated test data has the same skews and other peculiarities as the real data. You really don't want to leak those just because someone snatched your bag on the train.

    Primary/localhost testing on fully generated data, when that works test against an externally hosted DB instance with production data? Preferably from the cloud so you can put your DB passwords into the build system instead of either committing them or jumping through the hoops of keeping them in a .gitignored file.



  • @LaoC Oh yes, it's very likely that devs have bits of actual production sensitive data on their computers. But most devs don't have laptops (or maybe some shared ones used only when visiting clients or doing other external presentations, so with various docs but no code/data -- except all the data included into reports, presentations etc.!), so not many company laptops are likely to contain that kind of stuff.

    I guess there is at least as much sensitive information in managers' laptops, and in a much more readily usable form (sales numbers and spreadsheets, plans, clients reports etc.). So it is astonishing that those haven't been encrypted until very recently. But even the screen protectors are something relatively new, it's only since a couple of years that they've started issuing them as standard (well, for the standard laptops at least...).

    So yeah, we're not really good at IT security.


  • Impossible Mission Players - A

    @Maciejasjmj said in Full disk encryption:

    put your DB passwords

    our production password is prodaccess, so not too worried. :D


  • SockDev

    @Tsaukpaetra All I see is **********



  • @RaceProUK said in Full disk encryption:

    @Tsaukpaetra All I see is hunter2

    Hey, that's my password!


  • SockDev

    my password is just the mane six in order of awesomeness


  • SockDev

    @accalia If Twilight Sparkle isn't first, we're going to have to have a serious discussion :P


  • SockDev

    @RaceProUK said in Full disk encryption:

    @accalia If Twilight Sparkle isn't first, we're going to have to have a serious discussion :P

    i can neither confirm nor deny the veracity of your statement at this time.


  • :belt_onion:

    @remi said in Full disk encryption:

    which version of Windows are you talking about?

    @Polygeekery said in Full disk encryption:

    Bitlocker

    Bitlocker ain't no Windows version I ever heard of.


  • area_deu

    @obeselymorbid said in Full disk encryption:

    @remi said in Full disk encryption:

    which version of Windows are you talking about?

    @Polygeekery said in Full disk encryption:

    Bitlocker

    Bitlocker ain't no Windows version I ever heard of.

    What?



  • So I did my first benchmark, before encryption.

    Fresh check-out of a new sandbox, then reboot the computer (not sure why I decided to reboot after the check-out rather than include it in my benchmark... I guess I thought that while I recompile quite often, I don't check-out a full sandbox often and thus it made more sense this way). I waited for 5-10 min to be sure that all the crap that load at Windows start is done.

    Running the pre-build configuration script took 12 min (including 4 min to copy some external libs from network... should have done that manually since it's only done the first time. Oh well.).
    Opening VS and letting it scan all its includes and stuff took 9 min (I know, I can start using it during that time, but I figured it's also an indicator of how fast VS works, plus this way I make sure there are no competing operations running simultaneously).
    Compiling everything took 55 min.
    And since I had to do it in order to reset the test, deleting all the sandbox afterwards took 4 min.

    We'll see what it gives after encryption, but that'll probably be next week.

    The clean sandbox before configuration is 1.2 GB, after full compilation it goes to 15 GB.


  • Impossible Mission Players - A

    @accalia said in Full disk encryption:

    my password is just the mane six in order of awesomeness

    Lyra, Bon Bon, Derpy, Vinyl, Octavia and Doctor Whooves

    ???



  • Just talked with a cow-orker who went through the process and told me that as part of setting up the encryption, IT asks us for our password (you know, the same that allows access to our email and all other intranet services such as HR records and so on) and then writes it with our username on a post-it stuck onto the laptop.

    If they do that with me, I'm still pondering whether to report that as an IT security breach just to fuck with them.

    (obviously that's the "writing on a post-it" that I really object to, IT can change my password if they want so it's not like they really cannot access my info if they wanted to)

    Meanwhile, I will obviously change my password to something else just before giving them the laptop, that's the least I can do. Any suggestion for something to subtly mess up with their heads while not being overtly rude? (i.e. not "fuck0ff" or other similar stuff)


  • SockDev

    @remi l0ls3cur1ty?



  • @RaceProUK
    MyPasswordIsOnAPostit


  • BINNED

    @remi SomethingFromKeePassThatIChangeEvery3Days



  • @Luhmann
    IHopéYöùHàveâzèrty



  • @Luhmann said in Full disk encryption:

    IHopéYöùHàveâzèrty

    Mmm, that is an interesting idea, especially since after encryption we have to type the password into a dialog that apparently runs without the full Windows environment (i.e. the FAQ explicitly says "Certain keyboards and mice (especially the wireless versions) do not always work correctly in the pre-boot environment"). So if I pick some sufficiently arcane characters, it might be impossible to type them in, to which I could complain that the encryption is forcing me to make my password less secure, and let them deal with that.

    What weird characters can I input into the standard Windows password field, and how? I.e. emojis, russian, chinese, whathever?



  • @remi In our setup, mcafee's password is managed separately from the windows one. Changing it is done in the same pre-boot environment where you unlock the disk encryption. I doubt it has any kind of SSO support.

    If your IT does password recording instead of proper key escrow, they may have disabled the ability to change those passwords.



  • @PleegWat The FAQ says that the pre-boot password should change when we change our Windows one, so I hope that bit won't be an issue...



  • @remi
    Or test the length limit: ThisIsMyPasswordPhrase.ItIsMineAloneAndShouldn'tBeWrittenDown.DefinitlyNotOnAPost-ItAndTaggedOnTheMachine.WhoCameUpWithThatStupidIdea?ThisReallyIsASeriousSecurityIssues.

    Bonus points for spreading it out over multiple post-its to increase the chance of one of them getting lost or reordered



  • @Luhmann That one seems a bit too difficult to not make obviously tailored to piss them off (I have to type it to unlock my computer, which I am supposed to do every time I get up from my desk, so they could not possibly believe that I would type something that long 20 times a day).

    If I want to piss them off, I'll put "12345" or something like that ("hunter2" is too subtle, they wouldn't get it...). Which is actually a nice straightforward slap in the face way to tell them to fuck off while still being polite, so it's something I'm also considering.

    I like the special characters one, it's easier to make it look genuine.



  • @remi The Alt-codes seem to work in the standard login dialog. That should give me enough space (hmm, another good idea, can I put a space in there?) to put in a valid password while hopefully breaking the encryption login. Something like Alt+0191 (¿) or 0135 (‡) should be nice.

    I haven't checked whether it is actually accepted as a password, maybe the server checks for this. But since I can't change my password more than once a day (yay for stupid password rules!), I can't make many tests.


  • SockDev

    @remi said in Full disk encryption:

    I haven't checked whether it is actually accepted as a password, maybe the server checks for this. But since I can't change my password more than once a day (yay for stupid password rules!), I can't make many tests.

    Step the Frist: Get two computers on the domain
    Step the Second: log into both computers
    Step the Third: Open the change password dialog on one PC
    Step the Fourth: Open the change password dialog on the second PC and change your password
    Step the Fifth: Change your password again on the frist PC
    Step the George: Profit



  • @accalia Isn't it going to refuse to change my password the second time (step 5)? I mean, when using a single computer, just after I change my password I can re-open the password dialog, I only get the error when I actually try to submit a new password for the second time.


  • SockDev

    @remi You're assuming this has all been implemented properly :P



  • @RaceProUK Well, given the behaviour when using a single computer, what makes you believe that this would work when using two different ones?


  • SockDev

    @remi said in Full disk encryption:

    @accalia Isn't it going to refuse to change my password the second time (step 5)? I mean, when using a single computer, just after I change my password I can re-open the password dialog, I only get the error when I actually try to submit a new password for the second time.

    @remi said in About 5 minutes from now:

    0_1490186599310_science_pony_by_pixelkitties-d3fmqf1.jpg


  • SockDev

    @remi said in Full disk encryption:

    @RaceProUK Well, given the behaviour when using a single computer, what makes you believe that this would work when using two different ones?

    because my work domain has the same rule, but i use that trick to keep the same password when i'm forced to change it every 90 days. :-)


  • SockDev

    @remi said in Full disk encryption:

    @RaceProUK Well, given the behaviour when using a single computer, what makes you believe that this would work when using two different ones?

    Because I've been in this game long enough to know that nothing is ever quite as you expect it ;)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.